-
Notifications
You must be signed in to change notification settings - Fork 298
LiteServ With SSL
It's now possible to run LiteServ as an SSL server. You can either use an official SSL cert from a certificate authority, or (in Couchbase Lite 1.04+) just tell LiteServ to make up a self-signed cert on its own.
(If you just want to have LiteServ make a self-signed certificate, skip down to the Run LiteServ section.)
The details of this depend on the certificate authority you use. Follow their directions to apply for and download your certificate. (For example, you might use Comodo.)
It's also possible to use the Keychain Access app to generate your own self-signed certificate without a CA.
The cert is probably in the form of an encrypted ".p12" file.
- Double-click the ".p12" file, or otherwise open it with the Keychain Access app.
- Enter the file's passphrase to let Keychain Access open it.
- Agree to import the cert.
You'll need to assign the cert a name, to identify it to LiteServ.
- Back in Keychain Access, select "My Certificates" from the "Category" list in the left column. (If the left column isn't showing, press the button at the lower left of the window to show it.)
- Select the certificate with the name you just entered. It'll have a gold-bordered icon.
- Right-click it and choose "New Identity Preference..." from the context menu.
- Enter the same name as the cert's name.
To run with an official certificate, add the command-line arguments --sslid
and the identity pref name, e.g.:
./LiteServ --sslid jens.local
(In version 1.0.3 or earlier, the flag is named --ssl
.)
To run with an automatically generated anonymous self-signed certificate, just add the argument --ssl
:
./LiteServ --ssl
Just use the same URL but change the protocol to "https", e.g. https://jens.local:59840/
.
An SSL client will normally refuse to accept a self-signed certificate, because it can't verify its identity. The easiest way around this is to disable cert verification. This does negates some of the benefits of SSL -- you still have encryption, but lose the assurance that the client is connecting to the server it intended to.
How you disable verification depends on the API or tool you're using. For example, with curl
you use the --insecure
flag:
curl --insecure https://jens.local:59840/